This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Quentin_Antrim
Participant
‎2020-12-18 09:54 AM

Concurrent connections drastically increase after switch replacement

I have a cluster of two CheckPoint 13000 appliances running R80.30.   

Originally, on the internal side, they were connected to a core cluster of Cisco 6509 switches, each firewall connected to one of the two 6509 switches.

Just recently the core 6509 switches were replaced with a core cluster of Cisco Nexus 9500 switches, each firewall connected to one of the Nexus 9500 switches.   

At the time of the replacement of 6509 switches with the 9500 switches, our average and peak connections almost doubled.

Whereas our previous normal peak would be 60K connections, our new peak became 100K connections, causing us to increase our concurrent connections max limit because of this unexpected increase.

Looking for any help in possible cause of this issue.   Has anybody seen anything similar before, and what was the cause/fix?

Also trying to figure out how I can really tell what that increase in connections would be.   What could I look for/at to determine what those roughly extra 40K of connections are in the firewall?

Thanks.

Quentin

0 Kudos
4 Replies
G_W_Albrecht
Legend Legend
Legend
‎2020-12-18 10:07 AM

My only suggestion is to check differences in the switch configs. But i fear that had been done already.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Quentin_Antrim
Participant
‎2020-12-18 10:34 AM
In response to G_W_Albrecht

Correct.   Thanks.

 

0 Kudos
FraP
Contributor
‎2020-12-18 11:26 AM

I seen a similar behaviour on a couple of nexus 9k and the issue was on switch side where for some reason packets was duplicated.
I don't know your topology so i can assume nothing, but:
Did you check if the arp table is compliant with your expectetion either on switches and firewall side?
Maybe a packet capture can help to identify duplicate packets and "netstat -ni" in expert mode to figureout if you can see error or drop on the firewall interfaces

0 Kudos
Quentin_Antrim
Participant
‎2020-12-18 12:18 PM
In response to FraP

Thanks.  Yes, due to the magnitude of the increase I'm thinkng a duplicate packet issue also.  I've already done some packet captures but haven't been able to determine anything yet.   No errors or drop in netstat -ni.   Nothing standing out in ARP table on FW, yet.    Thanks for the suggestions.  

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events